The Microsoft security hole at the heart of Russian election hacking

Russian hacking of the 2016 US presidential election went deeper than breaking into the Democratic National Committee and the Clinton campaign — the Russians also hacked their way into getting information about election-related hardware and software shortly before voting began.

The Intercept published a top-secret National Security Agency document that shows exactly how the Russians did their dirty work in targeting election hardware and software. At the heart of the hack is a giant Microsoft security hole that has been around since before 2000 and still hasn’t been closed. And likely never will.

Before we get to the security hole, here’s a little background about how the Russian scheme worked, spelled out in detail by the secret NSA document. Allegedly, Russia’s military intelligence agency, the GRU, launched a spearphishing campaign against a U.S. company that develops U.S. election systems. (The Intercept notes that the company was likely “VR Systems, a Florida-based vendor of electronic voting services and equipment whose products are used in eight states.”) Fake Google Alert emails were sent from noreplyautomaticservice@gmail.com to seven of the company’s employees. The employees were told they needed to immediately log into a Google website. The site was fake; when at least one employee logged in, his credentials were stolen.

Using those credentials, the GRU hacked into the election company, the NSA found, and stole documents for a second, far more dangerous spearphishing attack. In this second attack, launched either on Oct. 31 or Nov. 1, 2016, spearphishing emails were sent to 122 email addresses “associated with named local government organizations,” which probably belonged to officials “involved in the management of voter registration systems.” In other words, the Russians targeted people who maintain voter registration rolls.

Here’s where the Microsoft security hole comes in. Attached to those emails were Microsoft Word documents that the emails claimed were documentation for VR Systems’ EViD voter database product line. In fact, though, they were “trojanized Microsoft Word documents … containing a malicious Visual Basic script that spawns PowerShell and uses it to execute a series of commands to retrieve and then run an unknown payload from malicious infrastructure. … The unknown payload very likely installs a second payload which can then be used to establish persistent access to survey the victim for items of interest to threat actors.”

In plain English, the Word document opened a back door into the victims’ computers, allowing the Russians to install any malware they wanted and get virtually any piece of information to which the victims had access.

It’s not clear what election information the Russians were able to gather or how they might have used it. But by using the Microsoft security hole, they were potentially able to get very close to states’ election hardware and software, and possibly voter rolls as well.

Those with long memories may remember that Visual Basic played a key role in two of the first world-spanning virus attacks, Melissa in 1999 and ILoveYou in 2000. Back in 2002, Michael Zboray, who was then chief technology officer for market researcher Gartner Group and is now Gartner’s CISO, said that Visual Basic has the “wrong security posture,” and added, “Visual Basic script and the macros are proving to be a disaster. This is just happening over and over again. We have to get away from this hostile active content that is coming in through Word documents, Excel spreadsheets and the browser.”

And now, 15 years later, they’re still proving to be a disaster. Visual Basic has given way to Visual Basic for Applications, but the holes remain. The security company Sophos warned in a blog in 2015 that these kinds of attacks were making a comeback. This Russian hack shows they’re back with a vengeance.

It’s unlikely Microsoft will abandon Visual Basic for Applications, because too many enterprises rely on it. So enterprises need to get smarter about its use. Sophos recommends that they consider blocking all Office files that are emailed from outside a company, if those files contain macros created with Visual Basic for Applications. Microsoft offers advice of its own in its security post, “New feature in Office 2016 can block macros and help prevent infection,” including instructions on how enterprises can use Group Policy to block macros from running in Word, Excel and PowerPoint documents sent by email or downloaded from the internet.

Companies need to realize that Visual Basic for Applications and its macros are a potent weapon for hackers and malware authors. If it can threaten U.S. elections, it can certainly threaten enterprises’ most important documents and secrets. Given that Microsoft won’t be shutting down Visual Basic for Applications, enterprises need to take control themselves by blocking macros and scripts on incoming documents.

Copyright 2019 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.